Replacing the default SSL certificate on the reverse proxy

For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy for maximum security. If you are using VMR Scheduling for Exchange you must install your own certificates.

To replace the built-in X.509 SSL certificate on the reverse proxy with a custom-created certificate:

If you are using v5 (or earlier) of the OVA template, refer to the previous documentation for the appropriate instructions.

  1. Create a text file called pexip.pem which contains the following items in this specific order:

    • server certificate
    • server private key (which must be unencrypted)
    • one or more intermediate CA certificates (a server certificate will normally, but not always, have one or more intermediate CA certificates)

    Note that the contents MUST be in this specific order for the certificate to work properly.

    The first section with the server certificate should contain a single entry in the format:

    -----BEGIN CERTIFICATE-----
    <certificate>
    -----END CERTIFICATE-----

    The second section with the server private key should contain a single entry in the format (although it may instead show 'BEGIN RSA PRIVATE KEY'):

    -----BEGIN PRIVATE KEY-----
    <private key>
    -----END PRIVATE KEY-----

    Finally, there will normally be one or more intermediate CA certificates, where each intermediate has a section in the following format:

    -----BEGIN CERTIFICATE-----
    <certificate>
    -----END CERTIFICATE-----

  2. Using the SCP file transfer protocol, upload the pexip.pem file to the /tmp folder of the Reverse Proxy and TURN Server. This can be done using for instance WinSCP (www.winscp.net) or the ’scp’ command-line utility for Linux/macOS, using a command such as:

    scp pexip.pem pexip@198.51.100.130:/tmp

  3. After the pexip.pem file has been transferred into the /tmp folder, connect over SSH to the reverse proxy, log in as user pexip and run the following commands, one at a time:

    sudo cp /etc/nginx/ssl/pexip.pem /etc/nginx/ssl/pexip.pem.backup

    sudo mv /tmp/pexip.pem /etc/nginx/ssl/pexip.pem

  4. Run the following command to check the new certificate:

    sudo nginx -t

    If the certificate is OK, the response should look like this:

    $ sudo nginx -t
    [sudo] password for pexip: 
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

    However, if the certificate is missing, the response will look similar to this:

    $ sudo nginx -t
    [sudo] password for pexip: 
    nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pexip.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/nginx/ssl/pexip.pem, r) error:10000080:BIO routines::no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed
  5. If the certificate is OK, you can run this command to apply the new certificate:

    sudo systemctl reload nginx

After these commands have been run, the reverse proxy should now be operational and using the new certificate.

If any problem occurs with the replaced certificate, the previous certificate can be restored using the following commands:

sudo cp /etc/nginx/ssl/pexip.pem.backup /etc/nginx/ssl/pexip.pem

sudo systemctl restart nginx

If you rerun the installation wizard you are given the option Do you want to regenerate a new SSL certificate? Ensure that you answer "no" to this option if you want to preserve your own certificate.